(1)

Article 26(1) of Regulation (EU) No 596/2014 requires the competent authorities of Member States where necessary to conclude cooperation arrangements with supervisory authorities of third countries concerning the exchange of information and the enforcement of obligations arising under that Regulation in third countries. Cooperation arrangements on exchange of information can only be concluded if the information to be disclosed under them is subject to guarantees of professional secrecy at least equivalent to those set out in Article 27 of that Regulation, and such exchanges must be intended for the performance of the tasks of the competent authorities in question.

(2)

The third subparagraph of Article 25(8) of Regulation (EU) No 596/2014 requires competent authorities where possible to conclude cooperation arrangements with third-country regulatory authorities responsible for related spot markets in accordance with Article 26 of that Regulation.

(3)

In concluding new cooperation arrangements and updating existing cooperation arrangements with third-country authorities, the competent authorities where possible are to use the template document adopted pursuant to Article 26 of Regulation (EU) No 2014/596.

(4)

In order to ensure a level of protection of personal data that is in line with Regulation (EU) 2016/679 of the European Parliament and of the Council (2), any transfer of personal data to third countries should be undertaken in full compliance with that regulation. One such way to exchange personal data between competent authorities and supervisory authorities of third countries is through administrative arrangements ensuring appropriate safeguards pursuant to Article 46(3) of by Regulation (EU) 2016/679, which include enforceable and effective rights that natural persons have over their personal data. For the transfer of personal data between European Economic Area (‘EEA’) financial supervisory authorities and non-EEA financial supervisory authorities, such an administrative arrangement has been drafted by the International Organization of Securities Commissions (IOSCO) and the European Securities and Markets Authority (ESMA) (3), and received the positive opinion of the European Data Protection Board (EDPB) (4). All EEA financial supervisory authorities and a number of non-EEA financial supervisory authorities have signed the ESMA-IOSCO administrative arrangement. In light of the broad institutional consensus around personal data safeguards provided in the ESMA-IOSCO administrative arrangement, it provides a model for future similar arrangements framing the transfer of personal data between competent authorities and supervisory authorities of third countries which are not parties to the ESMA-IOSCO Administrative Arrangement. However, authorities of Member States using the model ESMA-IOSCO Administrative Arrangement would still need to obtain authorisation by the data protection authority pursuant to Article 46(3) of Regulation (EU) 2016/679.

(5)

This Regulation is based on the draft regulatory technical standards submitted by ESMA to the Commission.

(6)

ESMA did not conduct open public consultations on the draft regulatory technical standards on which this Regulation is based, nor did it analyse the potential related costs and benefits of introducing such standards, as to have done so would have been disproportionate in relation to the scope and impact of those standards, taking into account the fact that the addressees of the standards would only be the competent authorities of the Member States and not market participants.

(7)

ESMA has requested the opinion of the Securities and Markets Stakeholder Group established by Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (5),